fix: Endpoints /login and /verifyPassword ignore _User protectedFields

mtrezza · mtrezza · commit 8b856c3a9558 · 2026-04-07T11:38:36.000+01:00
diff --git a/spec/ProtectedFields.spec.js b/spec/ProtectedFields.spec.js
@@ -1973,6 +1973,64 @@ describe('ProtectedFields', function () {
       expect(response.data.objectId).toBe(user.id);
     });
 
+    it('/login respects protectedFieldsOwnerExempt: false', async function () {
+      await reconfigureServer({
+        protectedFields: {
+          _User: {
+            '*': ['phone'],
+          },
+        },
+        protectedFieldsOwnerExempt: false,
+      });
+      const user = await Parse.User.signUp('user1', 'password');
+      const sessionToken = user.getSessionToken();
+      user.set('phone', '555-1234');
+      await user.save(null, { sessionToken });
+
+      const response = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/login',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ username: 'user1', password: 'password' }),
+      });
+      expect(response.data.phone).toBeUndefined();
+      expect(response.data.objectId).toBe(user.id);
+      expect(response.data.sessionToken).toBeDefined();
+    });
+
+    it('/verifyPassword respects protectedFieldsOwnerExempt: false', async function () {
+      await reconfigureServer({
+        protectedFields: {
+          _User: {
+            '*': ['phone'],
+          },
+        },
+        protectedFieldsOwnerExempt: false,
+        verifyUserEmails: false,
+      });
+      const user = await Parse.User.signUp('user1', 'password');
+      const sessionToken = user.getSessionToken();
+      user.set('phone', '555-1234');
+      await user.save(null, { sessionToken });
+
+      const response = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/verifyPassword',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({ username: 'user1', password: 'password' }),
+      });
+      expect(response.data.phone).toBeUndefined();
+      expect(response.data.objectId).toBe(user.id);
+    });
+
     it('owner sees non-protected fields like email when protectedFieldsOwnerExempt is true', async function () {
       await reconfigureServer({
         protectedFields: {
diff --git a/src/Routers/UsersRouter.js b/src/Routers/UsersRouter.js
@@ -364,12 +364,30 @@ export class UsersRouter extends ClassesRouter {
       req.info.context
     );
 
+    // Re-fetch the user with the caller's auth context so that
+    // protectedFields and CLP apply correctly
+    const userAuth = new Auth.Auth({
+      config: req.config,
+      isMaster: false,
+      user: Parse.Object.fromJSON({ className: '_User', objectId: user.objectId }),
+      installationId: req.info.installationId,
+    });
+    const filteredUserResponse = await rest.get(
+      req.config,
+      userAuth,
+      '_User',
+      user.objectId,
+      {},
+      req.info.clientSDK,
+      req.info.context
+    );
+    const filteredUser = filteredUserResponse.results?.[0] || user;
+    filteredUser.sessionToken = user.sessionToken;
     if (authDataResponse) {
-      user.authDataResponse = authDataResponse;
+      filteredUser.authDataResponse = authDataResponse;
     }
-    await req.config.authDataManager.runAfterFind(req, user.authData);
 
-    return { response: user };
+    return { response: filteredUser };
   }
 
   /**
@@ -436,8 +454,24 @@ export class UsersRouter extends ClassesRouter {
       .then(async user => {
         // Remove hidden properties.
         UsersRouter.removeHiddenProperties(user);
-        await req.config.authDataManager.runAfterFind(req, user.authData);
-        return { response: user };
+        // Re-fetch the user with the caller's auth context so that
+        // protectedFields and CLP apply correctly
+        const userAuth = new Auth.Auth({
+          config: req.config,
+          isMaster: false,
+          user: Parse.Object.fromJSON({ className: '_User', objectId: user.objectId }),
+          installationId: req.info.installationId,
+        });
+        const filteredUserResponse = await rest.get(
+          req.config,
+          userAuth,
+          '_User',
+          user.objectId,
+          {},
+          req.info.clientSDK,
+          req.info.context
+        );
+        return { response: filteredUserResponse.results?.[0] || user };
       })
       .catch(error => {
         throw error;
